Revoking a role for a resource
You can prevent a subject from accessing a resource. To do this, revoke the subject's roles for that resource or the resources that the access rights are inherited from. For more information, see How access management works in Yandex Cloud.
- In the management console
, select the folder where you want to revoke a role for a resource. - In the list of services, select Container Registry.
- Revoke a role for the resource.
- Revoking a role for a registry:
-
To the right of the registry name, click
and select ACL registry. -
In the window that opens, expand the drop-down list in the row with the name of the user whose permissions you want to revoke.
-
Deselect the role that you want to revoke.
To revoke all the user's permissions, click Revoke.
-
Click Save.
-
- Revoking a role for a repository:
-
Select the registry.
-
To the right of the repository name, click
and select Configure ACL. -
In the window that opens, expand the drop-down list in the row with the name of the user whose permissions you want to revoke.
-
Deselect the role that you want to revoke.
To revoke all the user's permissions, click Revoke.
-
Click Save.
-
- Revoking a role for a registry:
If you do not have the Yandex Cloud command line interface yet, install and initialize it.
The folder specified in the CLI profile is used by default. You can specify a different folder using the --folder-name
or --folder-id
parameter.
-
View assigned roles:
yc <service_name> <resource> list-access-bindings <resource_name_or_ID>
Where:
<service_name>
:Container
service name.<resource>
: Category of the resource (registry
orrepository
).<resource_name_or_ID>
: Name or ID of the resource the role is assigned for. You can specify a resource by its name or ID.
Example. View the roles for the registry with the
crp0pmf1n68d********
ID:yc container registry list-access-bindings crp0pmf1n68d********
Result:
+--------------------------+------------------+----------------------+ | ROLE ID | SUBJECT TYPE | SUBJECT ID | +--------------------------+------------------+----------------------+ | container-registry.admin | federatedAccount | kolhpriseeio******** | +--------------------------+------------------+----------------------+
-
Revoke a role:
yc <service_name> <resource> remove-access-binding <resource_name_or_ID> \ --role <role_ID> \ --subject userAccount:<user_ID>
Where:
<service_name>
:Container
service name.<resource>
: Category of the resource (registry
orrepository
).<resource_name_or_ID>
: Name or ID of the resource you revoke a role from. You can specify a resource by its name or ID.--role
: Role ID.--subject
: ID of the group, user, or service account you revoke a role from.
Example. Revoke the
container-registry.admin
role for the registry with thecrp0pmf1n68d********
ID from the user with thekolhpriseeio********
ID:yc container registry remove-access-binding crp0pmf1n68d******** \ --role container-registry.admin \ --subject userAccount:kolhpriseeio********
Use the listAccessBindings
method to view the roles assigned for the registry
and repository
resources.
Use the updateAccessBindings
method to revoke the role for the registry
and repository
resources.
Read more about role management in the Yandex Identity and Access Management documentation.